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Overview 



■ Background 

■ Cortana 

■ Distributed Bots 

■ Post-exploitation 

■ Behavior Modification 

■ User Interface 

This work was made possible through DARPA's 
Cyber Fast Track program. 



What this talk is not 



Not a Cortana tutorial 

Some features are skipped entirely 

An exploration of the software agent 
programming paradigm 

D This is sad 

D Because it is fun 



Today's Goals 



■ Demonstate what Cortana can do 

■ Cover major functionality 

■ Encourage you to try it. 



Introduction: Raphael Mudge 



■ Formerly, IRC LaMeR 

■ Developer, jlRCii IRC Client 

■ Developer, Sleep Scripting Language 

■ Developer, Armitage 

■ Founder, Strategic Cyber LLC 



Introduction : jlRCii 
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Introduction : Sleep 



Perl inspired syntax 
Built on Java 
Extensible 
Small! (-250KB) 
Embedded in jlRCii 



Introduction: Armitage 




D * 








|Hadi 








aam ji-u -oaofl 


^^^40£77mttggflgi^^^^^^^^^^^^^i4i 




Pro^'i" Fits 




102 i 1 3 3-; LO L i: 32 C JfiG 


-1 . i » iV 1 I 




P>1hon» 




20]0*S.2SOft43s00. MM 


4Q777rt¥WWrfWf* 








2010-02L4 22:21:13 OWO 


40777YTW>IW"JW" 




(WW4T 




2D10I04* 11L*.34 4404 


40777Jt¥M¥f-iW- 




tec 




20] O-W-29 L 2 33 21 C400 


40777.lWww.rw. 








2010 J5 LC raoni «iw 


4Q?7T7iMflaWmr*-m r 








inaa-w ?s l*94-l4 C4ea 


407 7 7 1'rwrrw. rw» 






t* 




| CC 7 7 






n 


2<iJ44)M4»i>i>4 4W0' 


lOOWaflW-rw-ni. 




iQ.JvJ 




Inl0*i-14 »IJ:J4 -QS0O 


ltM444rt.r-r- L 




HiMttrt 









upload. Oftaaiy ] [ Rifriih 



InciKi '-pii: mr-.i r.u.,* rmrrunr dm im rip itt n-dnw 



-a . oa^H 



Armitage Collaboration 




Cortana: What is it? 



■ A Scripting Language to: 
D Automate Metasploit Framework 
D Extend Armitage 



Cortana: What is it? 




The Software Agent Lense... 

■ Cortana is a domain-specific language to develop 
"Agents" that conduct cyber operations... 

■ Team server provides distributed communication 

■ Metasploit offers capabilities and data model 

Cortana offers means to create long running agents 
that perceive context and respond to it. 

Cortana also provides tools to debug, understand, 
and assure positive control of agents 



Cortana: What it does 

■ Metasploit Control 

■ Data Management 

■ Post-Exploitation 

■ Team Server Participation 

■ Modify Arm itage Behavior 

■ Extend Armitage User Interface 



Cortana: Alternatives 

■ Extend Metasploit Framework 

n Modules 
n Plugins 
° RC files 

■ Metasploit RPC Server 

■ msfcli 



Distributed Bots 



■ 
i 



Problem. . . 

■ Jolly: It'd be nice if there was a way to know 
when new hosts/services pop up 

■ Chris: I'm constantly running scans, I'll put the 
data where ever you like... 

■ Me: I think I can help... 

■ Chris: I don't want to import my scans every 
minute. Can we automate this? 



Background: Event Listeners 



on event_name { 

# do this stuff 

# $1 = first argument 

# $2 = second argument 

# $n = nth argument 



Data Events 



Hosts Reques Hosts Request N + 1 



Do nothing 



Data Eveni 



Credentials 

Hosts 

Loots 

Routes 

Services 

Sessions 



S 



Host/Service Notify Bot 
Host Import Bot 

DEMO 
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Post -exploitation 



■ 
i 



Problem 



■ I want to control sessions 

With multiple actors using them 

With assurance that the script won't lose control 



Background 



■ Interacting with a Meterpreter session: 

on meterpreter_command { 

# $1 = session id 

# $2 = command and arguments 

# $3 = output 

} 

m cmd( session id, "command"); 



Background 



■ Interacting with a process through a meterpreter 
session: 

on exec_command { 

# $1 = session id 

# $2 = command and arguments 

# $3 = output 

} 

m_exec (session id, "command"); 



Background 



■ Interacting with a Shell session: 

on shell_command { 

# $1 = session id 

# $2 = command and arguments 

# $3 = output 



s_cmd(session id, "command"); 



A cool demo 



DEMO 



Behavior Modification 



Problem 



■ I want to alter how Armitage does X 

n Use a different payload for certain attacks 
n Integrate a different executable with psexec 
n Modify Armitage icon display 



Background 



■ Filters, hook an action and change the 
parameters 



filter some_fi 
# inspect $1, 

return @ : 



:er_name { 
$2, $3, etc 



Another cool demo 



DEMO 



User Interface 



■ 
i 



Problem 



■ I want to extend Armitage with new features 

D Integrate third-party tools 

D Expose Metasploit Framework features 

D Control Cortana capabilities 



Background 



■ Cortana scripts may: 

° Define keyboard shortcuts 
n Define popup menus 
n Create console tab interfaces 
Create table interfaces 



The last cool demo 



DEMO 



Cortana: What is it? 



■ A Scripting Language to: 
D Automate Metasploit Framework 
D Extend Armitage 



Summary 



■ Background 

■ Cortana 

■ Distributed Bots 

■ Post-exploitation 

■ Behavior Modification 

■ User Interface 

This work was made possible through DARPA's 
Cyber Fast Track program. 



Where to go from here 



Twitter: @armitagehacker 
Email: rsmudae 



man.com 



Cortana is posted at: 



WWW: http://www.fastandeasvhackinq.com 



